Question
Week 3: Health Data Breach Response Plan: A Managed Care Organization’s Comprehensive Plan
As the Chief Privacy Officer (CPO) of a competitive managed care organization, you have been advised of a breach in the privacy, security and confidentiality of sensitive patient data that occurred at the hands of an employee who was a willing participant in a large identify theft ring. After a tip received from the FBI, a six month investigation was conducted. The employee sold hundreds of health records over the span of three years for an undisclosed amount of money. After immediate termination and prosecution, the next step is to develop a comprehensive Health Data Breach Response Plan, a project assigned to you by the CEO.
Deliverables: The final product to submit is a comprehensive plan that includes the following:
Propose a data response plan that address the following:
Step One: The organization’s response to the notification of a breach
Step Two: Identify those responsible parties (by titles) to respond to the notification of breach and explain each of their roles in the process
Step Three: Procedure(s) to confirm the occurrence of a breach & identify the involved scope/type of data involved
Step Four: A three (3)-point system measure, to impact of the data breach & the action(s) taken for each level of impact
Step Five: Data breach response and corrective practices
Step Six: Monitor/test effectiveness of response and corrective practices
Step Seven: Notification (public and customer (specify whether all customers are notified or just those impacted)
Proposed annual schedule of conducted risk analysis (frequency) to access the organization’s susceptibility of data security risks and identify the identified person(s) to conduct the scheduled risks analysis
Create a risk analysis data security checklist to identify human, technical, environmental, and natural threats
Required checklist categories: identified threat, contributing factors, example of threat, the likeliness of occurrence and the potential impact to the organization (negative impacts)
Determine a system to determine/rate the likeliness of occurrence and the potential impact to the managed care organization
A list of specific resources in place to respond to a data breach
Identification and the incorporation Health Insurance Portability and Accountability Act (HIPAA) security standards safeguards within the data response plan:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Create an agenda of topics to present in an organization-wide employee training on the topic “What is My Role in the Prevention of an Organization’s Breach of Data”
Answer
Introduction
It is the duty of every Healthcare organisation to properly maintain the personal data of every individual person in order to ensure that they are not leaked in public domain. Healthcare data of individual can have sensitive information (Poon et al., 2006). In the given case there has been a security breach that has caused sensitive patient data related to Healthcare to be leaked in public domain and it has been identified that one of the workers of the organisation has been responsible for this act.
The following report is about preparing a health data breach response plan by the Chief privacy officer of the Healthcare Institution that will ensure all future data related to personal patient care is been carefully protected and strict action is being taken against the individual responsible for the breaching act.
Health Data Action Plan Step
One: The organization’s response to the notification of a breach
At the very first step it is the duty of the Healthcare organisation to ensure that they publish proper notification informing the workers, about the security breach that took place within the organisation. This will help all the workers to ensure all the data are been carefully protected and it can also help to identify the responsible individual for this breaching act.
Step Two: Identify those responsible parties (by titles) to respond to the notification of breach and explain each of their roles in the process
The parties that will respond to notification of breach include the organizational management that will employ an investigation team for the situation. Another one is the investigation team that will venture to investigate and analyze the theft and will attempt to discover the identity of the criminal. Lastly the legal team will evaluate and determine the course of action that will be legitimate and most appropriate for the current situation and curate breach protection protocols to ensure prevention of such activity in the near future (Poon et al., 2006).
Step Three: Procedure(s) to confirm the occurrence of a breach & identify the involved scope/type of data involved
All the important and confidential data of the organization is secured through a centralized and protected information technology system, and breach of classified data is a highly criminal offense. Different breach notification measures are available that can overlook and then confirm the data breach procedures, involving activities like formal data breach reporting to the authorities, followed by data breach investigation and lastly the data breach confirmation (Pai & Huang, 2011).
Step Four: A three (3)-point system measure, to impact of the data breach & the action(s) taken for each level of impact
It is important to measure the impact of the data breach that can help to prepare for the overall action plan:
- Leaking of confidential data: In a health care organization, there are many confidential data about the medical history of a patient. Hence, there is a chance of exposing the medical data that can be misused by the external agents (Poon et al., 2006).
- Leaking of the financial plan: There is also the risk of leaking of financial information of the healthcare information centre that can cause financial loss of the organization.
- Lowering of the reputation of the organization: As the organization is not able to protect the personal information of the patient. Hence, it is not possible to deal with the reputation of the organization.
Step Five: Data breach response and corrective practices
A data breach response should be a quick action response in order to reduce the harmful consequence of security data breach and moreover the corrective procedure or practices should be swift and efficient to ensure rapid recovery of the risk situation (Team, 2015).
Step Six: Monitor/test effectiveness of response and corrective practices
Monitoring of the effectiveness of the response programs to any data theft situation is paramount, it overlook the progress of the investigation process and eliminates any chance of corruption of bias.
Step Seven: Notification (public and customer specify whether all customers are notified or just those impacted)
All the customers of the Healthcare organisation are notified about the security breach situation so that they can take proper precautionary measure in order to minimise the impact.
It should not escape notice that the importance of compliance to the Health Insurance Portability and Accountability Act by the healthcare organization is paramount, and the health care organizations ensure compliance to the laws and policies in order to protect the important relevant data related to healthcare (Dwyer et al., 2004).
Reference
Dwyer III, S. J., Weaver, A. C., & Hughes, K. K. (2004). Health insurance portability and accountability act. Security Issues in the Digital Medical Enterprise, 72(2), 9-18.
Pai, F. Y., & Huang, K. I. (2011). Applying the technology acceptance model to the introduction of healthcare information systems. Technological Forecasting and Social Change, 78(4), 650-660.
Poon, E. G., Jha, A. K., Christino, M., Honour, M. M., Fernandopulle, R., Middleton, B., ... & Kaushal, R. (2006). Assessing the level of healthcare information technology adoption in the United States: a snapshot. BMC Medical Informatics and Decision Making, 6(1), 1.
Team, V. R. (2015). 2015 Data Breach Investigations Report.
